* Jesse W. Asher ([EMAIL PROTECTED]) wrote: > > Someone recently indicated to me that they believed that natting IRC > through a firewall was "inherently insecure" and I wanted to get > opinions on that statement. I guess, in my mind, it isn't any more or > less secure than any other service natted through the firewall - it all > depends on how comfortable you feel with the inherent security of the > client/tool that you're using. > > Comments?
The client/tool is one thing but I think what they were probably getting
at is the issue of DCC. The problem with DCC is that it expects to be
able to reach any >1024 port on the remote system. The two clients work
out, over the IRC network, the ports to use. If your firewall doesn't
allow connections to high ports outbound or inbound, and you don't use
some kind of IRC helper in your firewall, then DCC won't work. This may
be acceptable to you but some people feel they need DCC. Using an IRC
helper in your firewall can mitigate these problems some. They can't
fix everything though because of the way in which the DCC protocol
works. A user using DCC can potentially allow a scan of the high ports
on at least the machine they're IRC'ing from.
Unfortunately I'm not very familiar with the internals of the netfilter
IRC-helper module or what checks it does but there are some things it
has no way to know due simply to where it has to be and what it gets to
see. I havn't heard of many people getting attacked in such a way
though so the chances of you being exploited in that way are probably
pretty slim. Unless you have someone going for you specifically using
an IRC helper will probably be enough. Most attackers are going for
'easy' targets, things they can sweep large network blocks for; such as
the recent OpenSSH holes, various Windows-based services, etc.
Stephen
msg04666/pgp00000.pgp
Description: PGP signature
